CCR1072-1G-8S+ GRE over IPSec tunnels not going up

mwisniewski · Wed May 01, 2024 4:39 pm

Hello. We wanted to go all hardware in means of routing. With relatively good experience with RB4011 (which has GRE over IPSec working) we wanted to connect locations with CCR1072. I've created IPSec policies (ESP/authentication not shown)

# side A
add dst-address=172.16.65.1/32 level=unique peer=SIDEB-WAN protocol=gre src-address=172.16.65.2/32 tunnel=yes
# side B
add dst-address=172.16.65.2/32 level=unique peer=SIDEA-WAN protocol=gre src-address=172.16.65.1/32 tunnel=yes

after which Phase2 is up. Then I created GRE tunnels:

# side A
add allow-fast-path=no local-address=172.16.65.2 name=gre1 remote-address=172.16.65.1
# side B
add allow-fast-path=no local-address=172.16.65.1 name=gre-gd-wan1 remote-address=172.16.65.2

However the tunnel is never brought up. Firewall was disabled for the time of testing, there is no NAT between.

In the meantime 4011 has no issues running GRE tunnels to VyOS peer. Each of three routers are running 7.14.3, but due to different architectures that doesn't mean they have anything in common.

I've tested RAW firewall rules:

/ip firewall raw
add action=notrack chain=output dst-address=172.16.65.2 src-address=172.16.65.1
add action=notrack chain=output dst-address=172.16.65.1 src-address=172.16.65.2
add action=notrack chain=input dst-address=172.16.65.2 src-address=172.16.65.1
add action=notrack chain=input dst-address=172.16.65.1 src-address=172.16.65.2

but no luck whatsoever (also, RB4011 don't have them but still works)

What should I look up now, aside of other vendors hardware?

CCR1072-1G-8S+ GRE over IPSec tunnels not going up

CCR1072-1G-8S+ GRE over IPSec tunnels not going up

Who is online